Debian Bug report logs - #699803
munin: TLS not working with v2.0

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Christian Schroetter <c_schroetter@froonix.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: munin: TLS not working with Munin master v2.0.x

Date: Tue, 05 Feb 2013 12:16:06 +0100

[Message part 1 (text/plain, inline)]

Package: munin
Version: 2.0.10-1
Severity: important

Dear Maintainer,

I'm using Munin with TLS since many years without any problems.

Now I've setup a new Munin master with v2.0.x on a new machine
(the old master is still running v1.4.x) and ran into some problems
with TLS enabled communication between master and node.

My setup is as follows:

 * Munin master and node on the same machine.
 * Connections through localhost. (IPv4/IPv6)
 * Tested with v2.0.6-3 (Wheezy) and 2.0.10-1 (Experimental).
 * On master and node "tls enabled" and "tls_verify_certificate no".
 * Custom "tls_private_key" and "tls_certificate" on both configs.

Now the problem:

 * The master connects to the node, TLS stuff handshake, ...
 * He gets all plugins and requests the config for "open_inodes".
 * He gets the response from the node with the full config.
 * He wants to fetch the plugin: fetch open_inodes
 * The node executes the plugin and returns the output.
 * The master doesn't receive the plugin's output.
 * After 60 seconds a timeout on both sides occurs.
 * ERROR!

The output from munin-cron and munin-node with --debug flag is attached.
Without TLS or with an old master version it works without any problems.


Regards,
Christian


-- System Information:
Debian Release: 7.0
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages munin depends on:
ii  adduser                      3.113+nmu3
ii  cron                         3.0pl1-124
ii  libdate-manip-perl           6.32-1
pn  libdigest-md5-perl           <none>
ii  libfile-copy-recursive-perl  0.38-1
ii  libhtml-template-perl        2.91-1
ii  libio-socket-inet6-perl      2.69-2
ii  liblog-log4perl-perl         1.29-1
ii  librrds-perl                 1.4.7-2
pn  libstorable-perl             <none>
ii  liburi-perl                  1.60-1
ii  munin-common                 2.0.10-1
ii  perl [libtime-hires-perl]    5.14.2-16
ii  perl-modules                 5.14.2-16
ii  rrdtool                      1.4.7-2
ii  ttf-dejavu                   2.33-3

Versions of packages munin recommends:
pn  munin-doc   <none>
ii  munin-node  2.0.10-1

Versions of packages munin suggests:
ii  apache2-mpm-prefork [httpd]  2.2.22-12
ii  elinks [www-browser]         0.12~pre5-9
ii  libapache2-mod-fcgid         1:2.3.6-1.2
ii  libnet-ssleay-perl           1.48-1+b1
ii  links2 [www-browser]         2.7-1
ii  lynx-cur [www-browser]       2.8.8dev.12-2
ii  w3m [www-browser]            0.5.3-8

-- Configuration Files:
/etc/munin/apache.conf changed [not included]
/etc/munin/munin.conf changed [not included]

-- no debconf information

[munin-node.debug (text/plain, attachment)]

[munin-cron.debug (application/octet-stream, attachment)]

Message #14 received at 699803@bugs.debian.org (full text, mbox, reply):

From: Christian Schroetter <c_schroetter@froonix.net>

To: <699803@bugs.debian.org>

Subject: Re: Bug#699803: Acknowledgement (munin: TLS not working with Munin master v2.0.x)

Date: Wed, 06 Feb 2013 11:11:49 +0100

Just to confirm this bug on new systems ;-)

Steps to reproduce on a fresh Debian installation (x86):

* Install from wheezy or experimental: munin munin-common munin-node 
munin-plugins-core linet-ssleay
* If not already done, create a snakeoil SSL cert/key or install 
apache2 with SSL support.
* Add TLS lines to munin.conf and munin-node.conf:

> tls enabled
> tls_verify_certificate no
> tls_private_key /etc/ssl/private/ssl-cert-snakeoil.key
> tls_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem

* Restart munin-node and run "munin-cron --debug" as user munin.
* The error (timeout) should be visible now.

Tested on a fresh Debian Wheezy installation in VirtualBox. One time 
with experimental packages. Also tested with a fresh Debian Squeeze 
installation, works OOTB with Munin v1.4.x.


Regards,
Christian

Message #19 received at 699803@bugs.debian.org (full text, mbox, reply):

From: Steve Schnepp <steve.schnepp@munin-monitoring.org>

To: 699803@bugs.debian.org, c_schroetter@froonix.net

Subject: Re: Bug#699803: Acknowledgement (munin: TLS not working with Munin master v2.0.x)

Date: Thu, 28 Feb 2013 14:54:54 +0100

Le 6 févr. 2013 11:21, "Christian Schroetter"
<c_schroetter@froonix.net> a écrit :

> Just to confirm this bug on new systems ;-)

I did managed to reproduce the issue. It seems that it's the SSL
handshake (master -> node) that is causing the issue... I'm looking
further on what changed between 1.4 & 2.0.

Did you also upgrade any SSL lib ?

Steve

Message #24 received at 699803@bugs.debian.org (full text, mbox, reply):

From: Christian Schroetter <c_schroetter@froonix.net>

To: Steve Schnepp <steve.schnepp@munin-monitoring.org>

Cc: <699803@bugs.debian.org>

Subject: Re: Bug#699803: Acknowledgement (munin: TLS not working with Munin master v2.0.x)

Date: Sun, 03 Mar 2013 18:40:46 +0100

> Did you also upgrade any SSL lib ?
No, pure vanilla Debian installation without other upgrades.

> I'm looking further on what changed between 1.4 & 2.0.
Thanks.


Regards,
Christian

Am 28.02.2013 14:54, schrieb Steve Schnepp:

> Le 6 févr. 2013 11:21, "Christian Schroetter"
> <c_schroetter@froonix.net> a écrit :
>
>> Just to confirm this bug on new systems ;-)
> I did managed to reproduce the issue. It seems that it's the SSL
> handshake (master -> node) that is causing the issue... I'm looking
> further on what changed between 1.4 & 2.0. Did you also upgrade any 
> SSL
> lib ? Steve

Message #29 received at 699803@bugs.debian.org (full text, mbox, reply):

From: Eero Häkkinen <eero17@bigfoot.com>

To: Steve Schnepp <steve.schnepp@munin-monitoring.org>

Cc: 699803@bugs.debian.org

Subject: Re: Bug#699803: Acknowledgement (munin: TLS not working with Munin master v2.0.x)

Date: Mon, 18 Mar 2013 11:28:50 +0200

[Message part 1 (text/plain, inline)]

Steve Schnepp wrote on 2013-02-28 14:54:54 +0100:
> I'm looking further on what changed between 1.4 & 2.0.

The fetch_service_config method in the file 
/usr/share/perl5/Munin/Master/Node.pm is changed to use the new 
_node_read_fast method which uses sysread for reading from a socket and 
bypasses the TLS layer completely.

A simple work-a-round to revert the fetch_service_config method to use 
the _node_read method instead of the _node_read_fast method for reading, 
like in the attached patch.

A proper fix whould probably be to make the _node_read_fast to work with 
TLS connections, too.

[munin.diff (text/x-diff, attachment)]

Message #34 received at 699803@bugs.debian.org (full text, mbox, reply):

From: Steve Schnepp <steve.schnepp@munin-monitoring.org>

To: Eero Häkkinen <eero17@bigfoot.com>

Cc: 699803@bugs.debian.org

Subject: Re: Bug#699803: Acknowledgement (munin: TLS not working with Munin master v2.0.x)

Date: Thu, 21 Mar 2013 20:35:29 +0100

[Message part 1 (text/plain, inline)]

Oh... That was it.

Big thanks on the debug !
Proper fix is on its way, and .12 will follow soonish.

-- 
Steve Schnepp
http://blog.pwkf.org/tag/munin
On Mon, Mar 18, 2013 at 10:28 AM, Eero Häkkinen <eero17@bigfoot.com> wrote:

> Steve Schnepp wrote on 2013-02-28 14:54:54 +0100:
> > I'm looking further on what changed between 1.4 & 2.0.
>
> The fetch_service_config method in the file
> /usr/share/perl5/Munin/Master/Node.pm is changed to use the new
> _node_read_fast method which uses sysread for reading from a socket and
> bypasses the TLS layer completely.
>
> A simple work-a-round to revert the fetch_service_config method to use
> the _node_read method instead of the _node_read_fast method for reading,
> like in the attached patch.
>
> A proper fix whould probably be to make the _node_read_fast to work with
> TLS connections, too.
>

[Message part 2 (text/html, inline)]

Message #39 received at 699803@bugs.debian.org (full text, mbox, reply):

From: Steve Schnepp <steve.schnepp@munin-monitoring.org>

To: Eero Häkkinen <eero17@bigfoot.com>

Cc: 699803@bugs.debian.org, "control@bugs.debian.org" <control@bugs.debian.org>

Subject: Re: Bug#699803: Acknowledgement (munin: TLS not working with Munin master v2.0.x)

Date: Thu, 21 Mar 2013 21:05:06 +0100

[Message part 1 (text/plain, inline)]

tag + upstream fixed-upstream
done

It is fixed upstream in 71d0a86 [1].

Thanks guys !

[1]
http://munin-monitoring.org/changeset/71d0a86c2b6f549e265be1718db8b20c227c9235

Steve
Le 21 mars 2013 20:35, "Steve Schnepp" <steve.schnepp@munin-monitoring.org>
a écrit :

> Oh... That was it.
>
> Big thanks on the debug !
> Proper fix is on its way, and .12 will follow soonish.
>
> --
> Steve Schnepp
> http://blog.pwkf.org/tag/munin
> On Mon, Mar 18, 2013 at 10:28 AM, Eero Häkkinen <eero17@bigfoot.com>wrote:
>
>> Steve Schnepp wrote on 2013-02-28 14:54:54 +0100:
>> > I'm looking further on what changed between 1.4 & 2.0.
>>
>> The fetch_service_config method in the file
>> /usr/share/perl5/Munin/Master/Node.pm is changed to use the new
>> _node_read_fast method which uses sysread for reading from a socket and
>> bypasses the TLS layer completely.
>>
>> A simple work-a-round to revert the fetch_service_config method to use
>> the _node_read method instead of the _node_read_fast method for reading,
>> like in the attached patch.
>>
>> A proper fix whould probably be to make the _node_read_fast to work with
>> TLS connections, too.
>>
>
>

[Message part 2 (text/html, inline)]

Message #52 received at 699803-close@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@debian.org>

To: 699803-close@bugs.debian.org

Subject: Bug#699803: fixed in munin 2.0.6-4

Date: Tue, 16 Apr 2013 14:47:41 +0000

Source: munin
Source-Version: 2.0.6-4

We believe that the bug you reported is fixed in the latest version of
munin, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 699803@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Holger Levsen <holger@debian.org> (supplier of updated munin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 16 Apr 2013 15:48:03 +0200
Source: munin
Binary: munin-node munin-plugins-core munin-plugins-extra munin-plugins-java munin munin-common munin-async munin-doc
Architecture: source all
Version: 2.0.6-4
Distribution: unstable
Urgency: medium
Maintainer: Munin Debian Maintainers <packaging@munin-monitoring.org>
Changed-By: Holger Levsen <holger@debian.org>
Description: 
 munin      - network-wide graphing framework (grapher/gatherer)
 munin-async - network-wide graphing framework (async master/client)
 munin-common - network-wide graphing framework (common)
 munin-doc  - network-wide graphing framework (documentation)
 munin-node - network-wide graphing framework (node)
 munin-plugins-core - network-wide graphing framework (plugins for node)
 munin-plugins-extra - network-wide graphing framework (user contributed plugins for nod
 munin-plugins-java - network-wide graphing framework (java plugins for node)
Closes: 699803 703479
Changes: 
 munin (2.0.6-4) unstable; urgency=medium
 .
   * Master/Node.pm: cherry-pick 71d0a86 from 2.0.12 to fix TLS enabled
     updates. (Closes: #699803)
   * several master components: turn INFO messages into DEBUG messages to avoid
     logfiles reaching gigabyte sizes in a few days. The cherries picked were
     8ad5dda (from 2.0.7) and 4372cdf (from 2.0.12). (Closes: #703479)
Checksums-Sha1: 
 4e1624fc5a73f9e00b3d514b977cf0610ca8e256 2355 munin_2.0.6-4.dsc
 8011286893e7a05d9a082ee80bf37b1109035146 52211 munin_2.0.6-4.diff.gz
 173a08b51aad02059316910711d0eb014324cb2f 129330 munin-node_2.0.6-4_all.deb
 a34f587fad2b5c42627e51b298786a9751c97445 304864 munin-plugins-core_2.0.6-4_all.deb
 5247406d79f9b126fef303540ed41c4c6cca4a98 155486 munin-plugins-extra_2.0.6-4_all.deb
 af2c2bf1c5cb9b7a04f065f76853fc5a9988a457 148120 munin-plugins-java_2.0.6-4_all.deb
 4a03035ff532cab91d3f63e380ad4a6785f63c97 202488 munin_2.0.6-4_all.deb
 9a616ed3929d74aaa70505ae9ff71a061a2a89c1 95064 munin-common_2.0.6-4_all.deb
 3ebfaa575a5cd22fd712cac994ff8f6447b0b4d3 86592 munin-async_2.0.6-4_all.deb
 78bc7bb83616c1996bb152ae20b7592498278603 213382 munin-doc_2.0.6-4_all.deb
Checksums-Sha256: 
 10df877ad47ddd628a1feb35769dcc246c32fafc76bb0bab00eaf3262c3ac1d7 2355 munin_2.0.6-4.dsc
 89df5a4da8b6f31d6793273b7cc833ab55057c9da9ab491aec9cb2127171df14 52211 munin_2.0.6-4.diff.gz
 06048b2db6fd5361cc89cb7d50ca9c95ff506f9637e834c54df9e3c9cf04257b 129330 munin-node_2.0.6-4_all.deb
 3c7bd75e107f023b86acb0096974422b6bfc53af1672adc9d1a2638ba01c5b16 304864 munin-plugins-core_2.0.6-4_all.deb
 a620d6f77b327e6d60ac42a4e698659fa5c1429adef797218ee6dbdd719917c8 155486 munin-plugins-extra_2.0.6-4_all.deb
 203a811d7ad00c9e44bcdc28420b75425524b0e11bd34c2c66f12d2eb696a29d 148120 munin-plugins-java_2.0.6-4_all.deb
 f80a37a54c5c5e9e17e1648023e075b1bac2b4e426711fe2334ac717ac6a9098 202488 munin_2.0.6-4_all.deb
 9b04460def2af8940006e26780ea26274d18a9a75bc034cb7db08c91df2e7984 95064 munin-common_2.0.6-4_all.deb
 6ba40f018a98ecc87108cbfb67a2694deaf54b93bae42cb2734fd09489abbf62 86592 munin-async_2.0.6-4_all.deb
 35c83d1a06386272cd5552bbb304aa9a088e3ab5e2ada0d3291ae3dae80ff613 213382 munin-doc_2.0.6-4_all.deb
Files: 
 267a7fe5827d1ba53d312141d0c55fc6 2355 net optional munin_2.0.6-4.dsc
 fa4ac294473dec8e9177f0364540e92f 52211 net optional munin_2.0.6-4.diff.gz
 c582ca76f64bd5deec4fefb3a86f9c9b 129330 net optional munin-node_2.0.6-4_all.deb
 43b89fba457c8d42e46c071afbfa0f71 304864 net optional munin-plugins-core_2.0.6-4_all.deb
 555983075b3334afe020f30a1b60b5e7 155486 net optional munin-plugins-extra_2.0.6-4_all.deb
 85ec843c7f040a8a76f5e468c70f6bb9 148120 net optional munin-plugins-java_2.0.6-4_all.deb
 18187f801b5177a954efcdf686019894 202488 net optional munin_2.0.6-4_all.deb
 3675301171e3698328b0a0e70eec1b38 95064 net optional munin-common_2.0.6-4_all.deb
 053a35d1d29d75c322def7a79c8cd324 86592 net optional munin-async_2.0.6-4_all.deb
 dc6e815833df47796169016bf0e0c247 213382 doc optional munin-doc_2.0.6-4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIVAwUBUW1fhwkauFYGmqocAQiG5Q//d19e/ke9a9jDlIbfCDRjVNFsE6yrWYKy
OIKLe9EoamxUMVH+a8q1mXsLFyTJ2H61AEM+srfby1b/X078lwbLagbpvTZLPKQR
LEP3FMyYAXRzfV0JRJKx/8FFYiJOdFHokYv3MjMrdE7D3S+1pd+cSp+h8uA91Ivx
L8nFwl4OAqfZeU5x3K6pzDbh41LA1sNRqL22PEFMwE/3N8NbaAD6GgoSMk/qNlLk
MoL4x+VfuypZ2ns+APURALZ7hcNvxkbkEjKFkoEojNzmAdGBmx79jlOF+2J1Q05g
ChJJKQcu0O/YH6oqdV0pWeTP9FwCx+F38aF6bAHpB2euW+WRuaVFqWQQgLrLm/Qq
scmcKf2SMrniPziY/OzivaoF8BdqwuC0HQZn6x0H/XjlS61y7gSqd8QC7/uXdVA+
P9Ch5c71YnspjgKIQWA4XOs0H3CDMC/FkoHXIpn1iTySOdqPpnPV/QlYPYK0lTAJ
f+uVuSkayY+xlpPLPLLCJ5gNf6uFFgFQzwDBSQKipQDLncFh3PZw2Y+hA5jQwjb+
Bp7wrc4yXBPb+zZ9uOmXQdJzqQyotLKip8cZyY/04p0Kko7R94SfuVMBmuvHmzj3
2aOv7juVVSfxKzxElfVQgbX5GaKOEpSwoUc09Cf6M+BuXxJKcjAll+W4Q2zDbZ/V
lHLZ9iFI8Vg=
=CsXP
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.